Demystifying Cyber Risk: Webinar in review
The language around cyber risksecurity can be complex – both because of the amount of jargon involved and the lack of consistency...
when it comes to cyber insurance policy wordings.
Use this document as a reference to help you decode terminology and be aware of aspects of policies that can be misinterpreted.
While it’s helpful to have a solid understanding of cyber terminology to come across as cyber savvy, you’ll best build trust with clients if you’re able to explain terms in plain English. Here is a list of common cyber acronyms you are likely to encounter:
CIRP: Cyber incident response plan
CISO: Chief information security officer
DDoS: Distributed denial of service (attack)
DLP: Data loss prevention (system)
DRP: Disaster recovery plan
EDR: Endpoint detection & response
IDS: Intrusion detection system
MFA: Multi-factor authentication system
PCI-DSS: Payment card industry data security standard
PHI: Protected health information
PII: Personally identifiable information
VPN: Virtual private network
RDP: Remote desk protocol
Now think about how you can translate this jargon into plain terms. For example, an IDS is like a bouncer checking IDs at the door of a club to confirm that everyone who enters is above age and allowed to come in. Think of an EDR as someone who detects suspicious activity at the club and can toss a person out if needed. MFA, which typically includes the use of a user name/password and PIN to log into company systems, helps you confirm that your employees are who they say they are when they log in.
Understand the types of attacks
Malware is a catch-all term for many types of malicious software including worms, viruses, spyware, trojan horse, ransomware, bots and botnets. It’s delivered by adware and scams, spam, phishing (via email and text) and open ports (gaps in a firewall). Small companies can be deceptively appealing malware targets because they may have insufficient cybersecurity protections in place.
The key types of ransomware are Blocker and Crypto ransomware: Blocker ransomware blocks users out of basic computer functions. While the computer can be used to pay the ransom, it’s otherwise rendered useless. Crypto ransomware encrypts your critical data, such as documents and videos, while leaving basic computer functions untouched. (Ransomware attacks in the news include MAZE, Locky, Jigsaw, GoldenEye, Cryptolocker, GandCrab and WannaCry.)
Take the best precautions
All companies have cyber exposure of some kind. Planning your response with employees can help you respond quickly, efficiently and with minimal business interruption or financial loss.
Consider these examples from insureds:
- At a CRM software company, a senior manager fell victim to a phishing attack and thousands of email addresses were compromised. The company promptly notified those affected. The ICO – happy with the speed of the company’s response to secure and protect its data – didn’t take action. Key learnings from this incident: The insured believed early notification and prompt action helped with the positive ICO response. They also credited phishing exercises and other employee training for mitigating their exposure, as well as an open culture where employees are urged to report incidents without repercussions. Going forward, multi-factor authentication is a key consideration for the company, particularly with more employees working remotely.
- An IT managed service provider client was hacked and the client claimed against the insured for failing to patch their system update. The insurance contract contained a liability cap that limited the insured’s liability to less than £250,000 (vs £1 million without the cap). Key learnings from this incident: Timely reporting is essential, as are regular data backups (and checking to make sure those backups are working) to mitigate data exposure. Professionally written terms and conditions can provide protection too.
Get to know cyber policy wording
The language around cyber policies isn’t yet consistent – and will take time to become so. But that shouldn’t deter brokers from trying to understand it. Understanding policy terms and what the wording means in practice will go far in helping to protect the insured’s business.
Common misunderstandings arise around business interruption cover vs reputational harm. Some policies have both and some have one or the other. Both deal with the loss of income following a breach and pay to close the gap between the income the insured would have earned if no event had occurred and what the insured actually earned due to the event.
However, business interruption requires that the income loss stems from the insured’s computers being down, while reputational harm doesn’t necessitate that. Further, business interruption is subject to a waiting period (often 8-12 hours but sometimes up to 24 hours) before coverage kicks in, while reputational harm is subject to monetary excess.
It’s critical to scrutinise the wording of policies to understand when cover becomes active and what is covered. For example, wording referring to the interruption to an insured’s “systems” vs the insured’s “operations” can make a difference in cover. Words are often more important than numbers: A policy that promises system restorations within 180 days as opposed to 365 won’t make a difference when the vast majority of system restorations in the UK are resolved within a week after a breach. Be mindful of policy conditions like maintaining systems with up-to-date patching management – if your client is generally conscientious about protecting its systems but there was a slip-up, you want to make sure their coverage applies.
Finally, policy wording will generally reference the cover of extra expenses incurred as a result of a breach. For example, an insured may need to have IT personnel work around the clock or hire additional staff due to a cyber incident. A good cyber policy should say that extra expenses cover comes with “bricking” cover, which replaces non-functional equipment with functional equipment. Just ensure that, if bricking cover is added, the property damage exclusion has been amended to include a writeback for bricked equipment.
“There is still a low take-up of cyber insurance and a lot of future growth available in this space,” said Davis Kessler, Head of Cyber at Travelers Europe. “Brokers who make the effort to recognise what a good policy looks like and how that could meet client exposures will gain the confidence of insureds.”